[Cisco] Telnet/SSH management access settings and notes on Firepower (ASA)

Firewall (UTM)

Operation confirmation environment

  • Firepower 2100 series
    • ASA OS 9.16.x

Configuration for Telnet access on Firepower(ASA)

Configuration for Telnet

■Setting local users for authentication

Local user settings for Telnet access authentication.

  • username <name> password <password>
ciscoasa(config)# username hogeuser password hogepassword

■Setting client IPs that are permitted to connect

This is the setting of the connection source client IP that allows Telnet access.

  • telnet <source_IP_address> <mask> <source_interface>
    • source_interface : Specify the nameif name of the interface for incoming Telnet access
ciscoasa(config)# telnet 10.1.1.0 255.255.255.0 inside

■Settings for using local users as the authentication method

This setting is for using local users as the authentication method for Telnet access.

  • aaa authentication telnet console LOCAL
ciscoasa(config)# aaa authentication telnet console LOCAL

Telnet access permission in ACL is not required

You do not need to configure a rule allowing Telnet access in your ACL for Telnet access.

No telnet access to lowest security-level IF

Telnet access to the interface with the lowest security-level is not allowed.

Except when using Telnet inside the VPN tunnel.

Configuration for SSH access on Firepower (ASA)

Configuration for SSH access

■Generate RSA key pair required for SSH

Local user settings for SSH access authentication.

  • crypto key generate rsa modulus <size>
    • size :key size. 512, 768, 1024, 2048, 3072, or 4096; 2048 or higher recommended.
ciscoasa(config)# crypto key generate rsa modulus 2048

■Setting local users for authentication

Local user settings for SSH access authentication.

  • username <name> password <password>
ciscoasa(config)# username hogeuser password hogepassword

■Setting client IPs that are permitted to connect

This is the setting of the connection source client IP that allows SSH access.

  • ssh <source_IP_address> <mask> <source_interface>
    • source_interface : Specify the nameif name of the interface for incoming SSH access
ciscoasa(config)# ssh 10.1.1.0 255.255.255.0 inside

■Settings for using local users as the authentication method

This setting is for using local users as the authentication method for SSH access.

  • aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication ssh console LOCAL

SSH permissions in ACL not required

You do not need to configure a rule that allows SSH access in your ACL for SSH access.

Case: “unknown host KEY type” error when accessing SSH

When accessing SSH from a client, “unknown host KEY type” may be displayed and access may not be possible.

This error occurs when the RSA key pair required for SSH is not generated on Firepower (ASA). If you have not generated a key pair, generate one with the crypto key generate rsa modulus size command.

References

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.16 - Management Access [Cisco Secure Firewall ASA]
Management Access

Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

タイトルとURLをコピーしました